Skip to content

feat: add external token revocation support#2795

Draft
thenav56 wants to merge 2 commits into
developfrom
feature/external-token-revocation
Draft

feat: add external token revocation support#2795
thenav56 wants to merge 2 commits into
developfrom
feature/external-token-revocation

Conversation

@thenav56

@thenav56 thenav56 commented Jul 15, 2026

Copy link
Copy Markdown
Member

Addresses

Depends on

Changes

  • Add is_disabled flag on UserExternalToken as a revocation marker
  • Admin: list/filter + bulk disable/enable actions for tokens
  • Add POST /api/v2/external-token/verify/ endpoint returning
    {"active": bool} for a given jti (active iff not disabled,
    not old, and not expired)
  • Include iat (issued-at) claim in generated tokens

Checklist

Things that should succeed before merging.

  • Updated/ran unit tests
  • Updated CHANGELOG.md

thenav56 added 2 commits July 15, 2026 16:11
Enable revoking user external tokens before their natural expiry
(tokens are long-lived, up to 1 year).

- Add is_disabled flag on UserExternalToken as a revocation marker
- Admin: list/filter + bulk disable/enable actions for tokens
- Add POST /api/v2/external-token/verify/ endpoint returning
  {"active": bool} for a given jti (active iff not disabled,
  not old, and not expired)
- Include iat (issued-at) claim in generated tokens
- Tests for the verify endpoint
- Add POST /api/v2/external-token/{id}/revoke/ allowing users to
  revoke their own tokens (scoped via get_queryset; 404 for others,
  400 when already revoked)
- Expose read-only is_disabled on the token serializer; return token
  only on creation via get_token()
- Type the verify endpoint response schema
- Tests for revoke, listing, and get_token behavior
- Regenerate OpenAPI schema (assets submodule)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant